Query Details
Monitor DL Ls By Signer
Query
DeviceImageLoadEvents | where TimeGenerated > ago(90d) //change to 30d if using advanced hunting with no sentinel | where FileName contains ".dll" | join DeviceFileCertificateInfo on $left.SHA1 == $right.SHA1 | where FileName contains ".dll" | summarize make_set(FileName) by Signer
Explanation
This query is analyzing device image load events to find information about DLL files and their associated certificates. Here's a simplified breakdown:
-
Data Source: It starts with the
DeviceImageLoadEventstable, which contains records of files loaded by devices. -
Time Filter: It filters the data to include only events from the last 90 days. If you're using advanced hunting without Microsoft Sentinel, you should change this to the last 30 days.
-
File Filter: It looks specifically for files with names that contain ".dll", indicating they are dynamic link library files.
-
Join Operation: It joins this data with the
DeviceFileCertificateInfotable based on the SHA1 hash of the files. This step is used to get certificate information for the DLL files. -
Additional File Filter: It again ensures that only DLL files are considered after the join.
-
Summarization: Finally, it summarizes the data by creating a set of unique DLL file names for each signer (the entity that signed the file).
In simple terms, this query is identifying all unique DLL files loaded on devices in the last 90 days, along with the signers of these files, by linking file load events with their certificate information.
Details
Jay Kerai
Released: January 14, 2026
Tables
Keywords
Operators